general defensive crypto coding principles

Simon Josefsson jas at extundo.com
Wed Feb 8 12:47:52 EST 2006 

"Travis H." <solinym at gmail.com> writes:

> Hey,
>
> In "Practical Cryptography", Schneier mentions a couple of general
> principles that he thinks wise when writing code which uses or
> implements cryptographic routines.
...
> 3) Authenticate the plaintext, not the ciphertext.  This is a general
> application of the rule "use semantically appropriate constructs". 
> That is, our point in signing is to authenticate the plaintext, not an
> encrypted version of it.  This has the drawback that decryption must
> occur before authentication, which is a possible DoS vector.

I wonder whether this is really a good suggestion, considering
Krawczyk's paper that show that this construct is not generically
secure.  See <http://eprint.iacr.org/2001/045>.

> 4) Try to eliminate security dependencies between modules.  That is,
> when you read from the RNG subsystem, check the values to see if they
> indicate a broken RNG (let's avoid pointing out the obvious problem
> with this by saying that all outputs are equally likely, and thus no
> sequence is more "random" than any other, in his code he just aborts a
> probabilistic algorithm if it fails too many times).

I'd say this leads to complex code that is difficult to audit.
Consequently a questionable recommendation.

> Then there are a few I'm not sure I understand:
>
> A) Allow a factor of two in strength increase.  That is, if you
> generate and use 1024 bit keys in the application, allow
> interoperability with 512-2048 bits.

A 1024 bit RSA key is not twice as strong as a 512 bit RSA key, nor is
a 2048 bit RSA key twice as strong as a 1024 bit RSA key.  Factoring
algorithm don't scale that way.

> I think this violates the interoperability rule "be liberal in what
> you accept and conservative in what you generate".

I believe it is now well accepted that this idiom is a poor idea for
security products in particular, and perhaps also in general.  You
should _not_ be liberal in what you accept.

> In particular, some of my sshd's don't accept 4096-bit keys, which
> annoys me greatly every time I try to ssh to them and it barfs into
> syslog.

Are you sure the above is the reason for this?  Perhaps the sshd
simply didn't support 4096 bit keys.

Cheers,
Simon

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list